commit: bf96509f09ff0319b82a07f8f8a858293e82ed8c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed May 24 23:36:04 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:32:29 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf96509f
corenet/sysadm: Move lines.
policy/modules/kernel/corenetwork.if.in | 138 ++++++++++++++++----------------
policy/modules/roles/sysadm.te | 6 +-
2 files changed, 72 insertions(+), 72 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.if.in
b/policy/modules/kernel/corenetwork.if.in
index 46fc4f11..4d618d94 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -213,6 +213,60 @@ interface(`corenet_spd_type',`
########################################
## <summary>
+## Define type to be an infiniband pkey type
+## </summary>
+## <desc>
+## <p>
+## Define type to be an infiniband pkey type
+## </p>
+## <p>
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for infiniband pkeys.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_pkey',`
+ gen_require(`
+ attribute ibpkey_type;
+ ')
+
+ typeattribute $1 ibpkey_type;
+')
+
+########################################
+## <summary>
+## Define type to be an infiniband endport
+## </summary>
+## <desc>
+## <p>
+## Define type to be an infiniband endport
+## </p>
+## <p>
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for infiniband endports.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_endport',`
+ gen_require(`
+ attribute ibendport_type;
+ ')
+
+ typeattribute $1 ibendport_type;
+')
+
+########################################
+## <summary>
## Send and receive TCP network traffic on generic interfaces.
## </summary>
## <desc>
@@ -3138,51 +3192,6 @@ interface(`corenet_relabelto_all_packets',`
########################################
## <summary>
-## Unconfined access to network objects.
-## </summary>
-## <param name="domain">
-## <summary>
-## The domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_unconfined',`
- gen_require(`
- attribute corenet_unconfined_type;
- ')
-
- typeattribute $1 corenet_unconfined_type;
-')
-
-########################################
-## <summary>
-## Define type to be an infiniband pkey type
-## </summary>
-## <desc>
-## <p>
-## Define type to be an infiniband pkey type
-## </p>
-## <p>
-## This is for supporting third party modules and its
-## use is not allowed in upstream reference policy.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Type to be used for infiniband pkeys.
-## </summary>
-## </param>
-#
-interface(`corenet_ib_pkey',`
- gen_require(`
- attribute ibpkey_type;
- ')
-
- typeattribute $1 ibpkey_type;
-')
-
-########################################
-## <summary>
## Access unlabeled infiniband pkeys.
## </summary>
## <param name="domain">
@@ -3215,34 +3224,25 @@ interface(`corenet_ib_access_all_pkeys',`
########################################
## <summary>
-## Define type to be an infiniband endport
+## Manage subnets on all labeled Infiniband endports
## </summary>
-## <desc>
-## <p>
-## Define type to be an infiniband endport
-## </p>
-## <p>
-## This is for supporting third party modules and its
-## use is not allowed in upstream reference policy.
-## </p>
-## </desc>
## <param name="domain">
## <summary>
-## Type to be used for infiniband endports.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`corenet_ib_endport',`
+interface(`corenet_ib_manage_subnet_all_endports',`
gen_require(`
attribute ibendport_type;
')
- typeattribute $1 ibendport_type;
+ allow $1 ibendport_type:infiniband_endport manage_subnet;
')
########################################
## <summary>
-## Manage subnets on all labeled Infiniband endports
+## Manage subnet on all unlabeled Infiniband endports
## </summary>
## <param name="domain">
## <summary>
@@ -3250,24 +3250,24 @@ interface(`corenet_ib_endport',`
## </summary>
## </param>
#
-interface(`corenet_ib_manage_subnet_all_endports',`
- gen_require(`
- attribute ibendport_type;
- ')
-
- allow $1 ibendport_type:infiniband_endport manage_subnet;
+interface(`corenet_ib_manage_subnet_unlabeled_endports',`
+ kernel_ib_manage_subnet_unlabeled_endports($1)
')
########################################
## <summary>
-## Manage subnet on all unlabeled Infiniband endports
+## Unconfined access to network objects.
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## The domain allowed access.
## </summary>
## </param>
#
-interface(`corenet_ib_manage_subnet_unlabeled_endports',`
- kernel_ib_manage_subnet_unlabeled_endports($1)
+interface(`corenet_unconfined',`
+ gen_require(`
+ attribute corenet_unconfined_type;
+ ')
+
+ typeattribute $1 corenet_unconfined_type;
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index aa687f78..508d2a9f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -27,6 +27,9 @@ ifndef(`enable_mls',`
corecmd_exec_shell(sysadm_t)
+corenet_ib_access_unlabeled_pkeys(sysadm_t)
+corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
+
dev_read_kmsg(sysadm_t)
mls_process_read_all_levels(sysadm_t)
@@ -46,9 +49,6 @@ selinux_read_policy(sysadm_t)
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
-corenet_ib_access_unlabeled_pkeys(sysadm_t)
-corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
-
ifdef(`direct_sysadm_daemon',`
optional_policy(`
init_run_daemon(sysadm_t, sysadm_r)
